CPR-Zero: CVE-2019-5998

Information

File: PtpMgr/PtpApp/PtpOperation.c (probably)
Function: PTP_NotifyBtStatus()

The handler copies the received message into a local stack buffer of size 0x120 bytes. The incoming message has no byte constraints and can be way bigger than this fixed size.
Note: The vulnerability only triggers over USB and not over WiFi.

Decompiling the vulnerable code will look roughly like this:

input_size = ctx->get_data_size_ptr(ctx->handle);
// EI-DBG: The local buffer is of size 0x120 bytes
bzero(local_buffer, 0x120);
PTP_FillUpResponse(&msg, args);
// EI-DBG: Input is read according to the attacker controlled "input_size"
if ( ctx->recv_data_ptr(ctx->handle, local_buffer, input_size) >= 0 )
{
    COM_NotifyBtStatus(input_size, param1, local_buffer);
}
some_fptr = global_ptp_memory_context->adapterStatusCallback;
if ( some_fptr )
{
    some_fptr(global_ptp_memory_context->fptr_108, 12, param1);
}
result = PTP_SendResponse(ctx, &msg) < 0;
if ( result )
{
    ... // error handling
    result = 1;
}
return result;

References:
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5998

Share this: